I have an ASA 5550 operating 9.0(2). I have setup DNS servers internally for 2 different domains and have set up a static NAT from DNS server to the public IP address for each domain. I want to be able to allow traffic from one internal DNS (domain1) to make a request to the other internal DNS (domain2) but going through the ASA to the associated public IP address.
The packet tracer and the real-time log viewer are indicating that this should work, but the initiating server is getting a resolution timeout. Any thoughts as to what I might be missing in the config?
Are you saying that you want both of the DNS servers to be able to connect to eachother public NAT IP address?
If so, then to my understanding the above configurations would not be enough as they are only perfoming Static NAT towards the "outside" interface while the traffic between them would be hairpinned on the "inside" interface as you can not connect to a NAT IP address that is on a farend interface. And by that I mean that you cannot connect to a NAT IP address that is located on another interface than where your source host is.
Therefore it would seem to me that the configuration that would enable these two DNS servers to communicate with public IP address together would be this
The above command should be looking for traffic coming from DNS-DOMAIN1-LOCAL towards DNS-DOMAIN2-PUBLIC and would then proceed to UN-NAT the DNS-DOMAIN2-PUBLIC to DNS-DOMAIN2-LOCAL and NAT the DNS-DOMAIN1-LOCAL to DNS-DOMAIN1-PUBLIC.
This single NAT configuration is bidirection so it should work no matter which host initiates the connection.
Yes, DNS-Domain1 local is trying to resolve a host from DNS-Domain 2 using the public IP of Domain 2. I entered the commands you provided. The real time viewer shows that a connection was built but the resolution still timed out
10.10.139.140 54221 192.168.1.36 53 Built outbound UDP connection 216733264 for outside:192.168.1.36/53 (192.168.1.36/53) to inside:10.10.139.140/54221 (192.168.1.42/54221)
If the traffic matched the above NAT configuration I mentioned you should be seeing a log message of a connection built from "inside" to "inside".
If both of your actual hosts are behind "inside" and either of them tried to connect with UDP/53 towards the other ones public IP address then the above mentioned NAT configuration should be matched.
Then again I did not use the line number 1 in the above NAT configuration to insert it at the very top but to be honest the above log messages seems like something we should not be seeing if the suggest NAT configuration was matched.
If you were to add that NAT configuration to the top it could be done by adding it with the number 1
Though it doesnt really seem to me that the NAT configurations you mentioned should interfere with this command working. Unless ofcourse there are some other NAT configurations on top of this new NAT configuration.
Thank you for your help. It still doesn't work and I never see a log message that says the connection was built insid-inside. I even made sure I inserted the new NAT rule at the beginning. Right now if I let each DNS out to the Internet (i.e. Google 220.127.116.11) they are able to get the proper name resolution. I was looking to do it more local and save the trip and bandwdith to the internet. Maybe I can revisit this some other day but for now I just need to move forward.
Based on the previous discussions I have had here on the forums that have related to special NAT configurations where traffic should be forwarded to different interface than the ASA by default would use I would have to say that your problem of the NAT not working most likely is because of your software level.
I personally use 8.4(5) and this has always worked for me.
I had some problems on the 9.x series software and so far the only software I can remember it working on was 9.1(1) while I had problems on the other 9.0 and 9.1 series softwares.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :